Botnets, Malware and the Fortune 100
After a much too long hiatus and sabbatical of sorts, I’m back to contributing to the efforts here at Cassandra.
Anyhow, I came across this article very recently and, while it was published in September, it is a very timely topic given some of the conversations I’ve had with my colleagues here at Cassandra. Follows is my philosophical post. But first I have to give the folks at Defence Intelligence the proper credit and recognition as the Fox News article referenced above comes from their work.
The first line stating that at least 50 of the companies in the Fortune 100 are compromised by an information stealing botnet was not surprising to me at all. But it did get me to thinking about the state of security programs, processes and technology in these organizations, among others. While it might be easy to blame specific industries and their focus on regulatory compliance rather than security (yes, they’re different and we’ll discuss that in another article) or lay blame at the feet of lack of budget and resources, lack of technology savvy or some other excuse. We must first understand that the Fortune 100 are the largest companies in the U.S.
Let’s start with a few assumptions:
1 – The Fortune 100 are likely to be among the most savvy companies in the world when it comes to adopting and using people, processes and technology to enable their business.
2 – They are more likely to have the resources to enable effective information security programs than smaller companies.
3 – They are likely to have established an CISO or equivalent position.
4 – They are likely to be considered very coveted accounts by technology and security vendors. Therefore, we can expect that they are at least made aware of the latest innovations in technology and security and should certainly be made aware of those vendors’ research efforts into current threats.
Now that I’ve made a few assumptions, I want to dive in to the thoughts that I had on this article.
As I read the article and made these assumptions in my mind, I asked myself – “If over 50% of the Fortune 100 has been compromised, what does that say about the rest of the companies in the US?” The reality is that there is really no way to know what it means for the rest of the companies, however we can probably very safely assume that over 50% of them are compromised as well.
What is not made clear in the article or in the research details I’ve been able to review thus far is how deep the compromise goes into these organizations. Are we talking hundreds or thousands of systems or are we talking a few to tens? That would help put some of this into a better context for this article, but lacking that information I’m going to do my best to illustrate what this could mean from an information security perspective.
Maybe the question to ask is, “What did the other 47% do right?” or were they not tested? There is much to be learned from the research and this report but one thing is very clear to me, these companies have plenty with which to be concerned when it comes to the state of their information security programs.
More later…
Comments
Leave a Reply
Will Gragido on 12.08.2009
Scott,
Great article. Great post. That was a troubling story and the facts as you pointed out are pretty staggering as are the unanswered questions (or details which have not been provided), pertaining the remainder of the Fortune 500. This I think demonstrates the need for advanced solution sets and different approaches to threat mitigation. Botnets in particular are devilishly difficult to detect and address as in many respects they utilize sophisticated routing solutions, topoogies, C&C elements, cryptography etc. Botnets are definitely not your father’s malware!
Ken Beames on 12.14.2009
Scott, great thoughts. I do have issue with your first assumption. I used to work for a very large bank in the information risk management group, and though they had the resources, were coveted by every security vendor on the planet, and had established positions, policies and procedures, the business drivers were such that risk was something to take the run at. They made more money than fines, or bad press would impact and when faced with a choice to secure, or not to secure, they usually choose to not secure as it would impact the business in interruption of service, impact on flexibility of working, etc.
What I learned is that running the risk (acceptable residual risk), whether formally, or informally accepted (like through denial) is a relatively effective risk management strategy for them.
All the best! -Ken.
Scott Lupfer on 12.14.2009
Ken, thanks for the comment and I’m glad you take issue with my first assumption because that is the basis of my “more later” statement. There is a huge gap between what a company may have the resources or ability to do and what they choose to actually do with regards to security. If that were not true we wouldn’t need PCI DSS to tell us how to protect credit card information or HIPAA to tell us how to protect personal healthcare information or…you get the idea.
We wouldn’t need these legislative and/or regulatory requirements because organizations would choose to implement quality security programs from the start rather than wait for something to happen to analyze whether or not they should do something from preventing that from happening again.
Thanks again for your comment and your sharing your experience.
Scott
Ken Beames on 12.16.2009
Right-o Scott! I’m looking forward to reading the next installment!
All the best! -Ken.